Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

POST data encryption - Is HTTPS enough?

Consider a scenario, where user authentication (username and password) is entered by the user in the page's form element, which is then submitted. The POST data is sent via HTTPS to a new page (where the php code will check for the credentials). Now if a hacker sits in the network, and say has access to all the traffic, is the Application layer security (HTTPS) enough in this case ? I mean, would there be adequate URL encryption or is there a need to have Transport Layer security ?

like image 518
Hari Avatar asked Mar 15 '11 09:03

Hari


People also ask

Is HTTPS enough for encryption?

HTTPS over SSL/TLS is designed to provide encryption in transit. Since communication between a browser and website server (with a secure certificate) is in an encrypted format, the data packets in transit cannot be tampered with or read even if they are intercepted.

Does HTTPS encrypt post data?

HTTPS encrypts nearly all information sent between a client and a web service.

How secure is HTTPS POST request?

HTTPS is HTTP with encryption and verification. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses, and to digitally sign those requests and responses. As a result, HTTPS is far more secure than HTTP.

Is HTTPS 100% secure?

Just because a website has a certificate, or starts with HTTPS, does not guarantee that it is 100% secure and free from malicious code. It just means that the website is probably safe. In the vast majority of cases the sites will be. Just not always.


2 Answers

Yes, everything (including the URL) is going through the encrypted channel. The only thing that the villain would find out is the IP address of the server you are connecting to, and that you are using HTTPS.

Well, if he was monitoring your DNS requests as well, he might also know the domain name of the IP address. But just that, the path, query parameters, and everything else is encrypted.

like image 89
Vilx- Avatar answered Sep 18 '22 00:09

Vilx-


Yes. In an HTTPS only the handshake is done unencrypted, but even the HTTP GET/POST query's are done encrypted.

It is however impossible to hide to what server you are connecting, since he can see your packets he can see the IP address to where your packets go. If you want to hide this too you can use a proxy (though the hacker would know that you are sending to a proxy, but not where your packets go afterwards).

like image 30
orlp Avatar answered Sep 22 '22 00:09

orlp